<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>eCryptfs</title>
<link rel="stylesheet" type="text/css" href="../C.css">
<script type="text/javascript" src="../jquery.js"></script><script type="text/javascript" src="../jquery.syntax.js"></script><script type="text/javascript" src="../yelp.js"></script>
</head>
<body id="home">
<!--<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">
        _uacct = "UA-1018242-8";
        urchinTracker();
      </script><script>
      function englishPageVersion() {
        var href = window.location.href;
        if (href.slice(-1) == "/") {
                window.location = "index.html.en";
        } else {
                window.location = href.replace(/\.html.*/, ".html.en");
        }
         return false;
      }
      function browserPreferredLanguage() {
        var href = window.location.href;
        if (href.slice(-1) == "/") {
                window.location = href;
        } else {
                window.location = href.replace(/\.html.*/, ".html");
        }
        return false;
      }
      </script>--><div id="container">
<div id="container-inner">
<div id="mothership"><ul>
<li><a href="https://partners.ubuntu.com">Partners</a></li>
<li><a href="https://www.ubuntu.com/support/community-support">Support</a></li>
<li><a href="https://community.ubuntu.com">Community</a></li>
<li><a href="https://www.ubuntu.com">Ubuntu.com</a></li>
</ul></div>
<div id="header">
<h1 id="ubuntu-header"><a href="https://help.ubuntu.com/">Ubuntu Documentation</a></h1>
<ul id="main-menu">
<li><a class="main-menu-item current" href="https://help.ubuntu.com/">Official Documentation</a></li>
<li><a href="https://help.ubuntu.com/community/CommunityHelpWiki">Community Help Wiki</a></li>
<li><a href="https://community.ubuntu.com/t/contribute/26">Contribute</a></li>
</ul>
</div>
<div id="menu-search"><div id="search-box">
<noscript><form action="https://www.google.com/cse" id="cse-search-box"><div>
<input type="hidden" name="cx" value="003883529982892832976:e2vwumte3fq"><input type="hidden" name="ie" value="UTF-8"><input type="text" name="q" size="21"><input type="submit" name="sa" value="Search">
</div></form></noscript><!--
<script>
                document.write('<form action="https://help.ubuntu.com/search.html" id="cse-search-box">');
                document.write('  <div>');
                document.write('    <input type="hidden" name="cof" value="FORID:9">');
                document.write('    <input type="hidden" name="cx" value="003883529982892832976:e2vwumte3fq">');
                document.write('    <input type="hidden" name="ie" value="UTF-8">');
                document.write('    <input type="text" name="q" size="21">');
                document.write('    <input type="submit" name="sa" value="Search">');
                document.write('  </div>');
                document.write('</form>');
              </script>-->
</div></div>
<div class="trails"><div class="trail">
<a href="https://help.ubuntu.com/18.04" class="trail">Ubuntu 18.04</a> » <a class="trail" href="../index.html" title="Ubuntu Server Guide">Ubuntu Server Guide</a> » <a class="trail" href="security.html" title="Security">Security</a> » </div></div>
<div id="cwt-content" class="clearfix content-area"><div id="page">
<div id="content">
<div class="links nextlinks">
<a class="nextlinks-prev" href="certificates-and-security.html" title="Certificates">Previous</a><a class="nextlinks-next" href="../monitoring/monitoring.html" title="Monitoring">Next</a>
</div>
<div class="hgroup"><h1 class="title">eCryptfs</h1></div>
<div class="region">
<div class="contents">
<p class="para">
          <span class="em emphasis">eCryptfs</span> is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux. Layering on
          top of the filesystem layer <span class="em emphasis">eCryptfs</span> protects files no matter the underlying filesystem, partition 
          type, etc.
          </p>
<p class="para">
          During installation there is an option to encrypt the <span class="file filename">/home</span> partition.  This will automatically
          configure everything needed to encrypt and mount the partition.
          </p>
<p class="para">
          As an example, this section will cover configuring <span class="file filename">/srv</span> to be encrypted using <span class="em emphasis">eCryptfs</span>.
          </p>
</div>
<div class="links sectionlinks" role="navigation"><ul>
<li class="links"><a class="xref" href="ecryptfs.html#ecryptfs-usage" title="Using eCryptfs">Using eCryptfs</a></li>
<li class="links"><a class="xref" href="ecryptfs.html#ecryptfs-automount" title="Automatically Mounting Encrypted Partitions">Automatically Mounting Encrypted Partitions</a></li>
<li class="links"><a class="xref" href="ecryptfs.html#ecryptfs-other-utils" title="Other Utilities">Other Utilities</a></li>
<li class="links"><a class="xref" href="ecryptfs.html#eCryptfs-references" title="References">References</a></li>
</ul></div>
<div class="sect2 sect" id="ecryptfs-usage"><div class="inner">
<div class="hgroup"><h2 class="title">Using eCryptfs</h2></div>
<div class="region"><div class="contents">
<p class="para">
            First, install the necessary packages. From a terminal prompt enter:
            </p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo apt install ecryptfs-utils</span>
</pre></div>
<p class="para">
            Now mount the partition to be encrypted:
            </p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo mount -t ecryptfs /srv /srv</span>
</pre></div>
<p class="para">
            You will then be prompted for some details on how <span class="app application">ecryptfs</span> should encrypt the data.
            </p>
<p class="para">
            To test that files placed in <span class="file filename">/srv</span> are indeed encrypted copy the <span class="file filename">/etc/default</span>
            folder to <span class="file filename">/srv</span>:
            </p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo cp -r /etc/default /srv</span>
</pre></div>
<p class="para">
            Now unmount <span class="file filename">/srv</span>, and try to view a file:
            </p>
<div class="screen"><pre class="contents "><span class="cmd command">sudo umount /srv</span>
<span class="cmd command">cat /srv/default/cron</span>
</pre></div>
<p class="para">
            Remounting <span class="file filename">/srv</span> using <span class="app application">ecryptfs</span> will make the data viewable once again.
            </p>
</div></div>
</div></div>
<div class="sect2 sect" id="ecryptfs-automount"><div class="inner">
<div class="hgroup"><h2 class="title">Automatically Mounting Encrypted Partitions</h2></div>
<div class="region"><div class="contents">
<p class="para">
            There are a couple of ways to automatically mount an <span class="app application">ecryptfs</span> encrypted filesystem 
            at boot. This example will use a <span class="file filename">/root/.ecryptfsrc</span> file containing mount options, along with
            a passphrase file residing on a USB key.
            </p>
<p class="para">
            First, create <span class="file filename">/root/.ecryptfsrc</span> containing:
            </p>
<div class="code"><pre class="contents ">key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
ecryptfs_sig=5826dd62cf81c615
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n
</pre></div>
<div class="note" title="Note"><div class="inner"><div class="region"><div class="contents">
              <p class="para">
              Adjust the <span class="em emphasis">ecryptfs_sig</span> to the signature in <span class="file filename">/root/.ecryptfs/sig-cache.txt</span>.
              </p>
            </div></div></div></div>
<p class="para">
            Next, create the <span class="file filename">/mnt/usb/passwd_file.txt</span> passphrase file:
            </p>
<div class="code"><pre class="contents ">passphrase_passwd=[secrets]
</pre></div>
<p class="para">
            Now add the necessary lines to <span class="file filename">/etc/fstab</span>:
            </p>
<div class="code"><pre class="contents ">/dev/sdb1       /mnt/usb        ext3    ro      0 0
/srv /srv ecryptfs defaults 0 0
</pre></div>
<p class="para">
            Make sure the USB drive is mounted before the encrypted partition.  
            </p>
<p class="para">
            Finally, reboot and the <span class="file filename">/srv</span> should be mounted using <span class="em emphasis">eCryptfs</span>.  
            </p>
</div></div>
</div></div>
<div class="sect2 sect" id="ecryptfs-other-utils"><div class="inner">
<div class="hgroup"><h2 class="title">Other Utilities</h2></div>
<div class="region"><div class="contents">
<p class="para">
            The <span class="app application">ecryptfs-utils</span> package includes several other useful utilities:
            </p>
<div class="list itemizedlist"><ul class="list itemizedlist">
<li class="list itemizedlist">
                <p class="para">
                <span class="em emphasis">ecryptfs-setup-private:</span> creates a <span class="file filename">~/Private</span> directory 
                to contain encrypted information.  This utility can be run by unprivileged users to keep 
                data private from other users on the system.
                </p>
              </li>
<li class="list itemizedlist">
                <p class="para">
                <span class="em emphasis">ecryptfs-mount-private</span> and <span class="em emphasis"> ecryptfs-umount-private</span> will mount and unmount
                 a user's <span class="file filename">~/Private</span> directory.
                </p>
              </li>
<li class="list itemizedlist">
                <p class="para">
                <span class="em emphasis">ecryptfs-add-passphrase:</span> adds a new passphrase to the kernel keyring.
                </p>
              </li>
<li class="list itemizedlist">
                <p class="para">
                <span class="em emphasis">ecryptfs-manager:</span> manages <span class="app application">eCryptfs</span> objects such as keys.
                </p>
              </li>
<li class="list itemizedlist">
                <p class="para">
                <span class="em emphasis">ecryptfs-stat:</span> allows you to view the <span class="app application">ecryptfs</span> meta information
                for a file.
                </p>
              </li>
</ul></div>
</div></div>
</div></div>
<div class="sect2 sect" id="eCryptfs-references"><div class="inner">
<div class="hgroup"><h2 class="title">References</h2></div>
<div class="region"><div class="contents"><div class="list itemizedlist"><ul class="list itemizedlist">
<li class="list itemizedlist">
                <p class="para">
                For more information on <span class="em emphasis">eCryptfs</span> see the <a href="https://launchpad.net/ecryptfs" class="ulink" title="https://launchpad.net/ecryptfs">Launchpad project page</a>.
                </p>
              </li>
<li class="list itemizedlist">
                <p class="para">
                There is also a <a href="http://www.linuxjournal.com/article/9400" class="ulink" title="http://www.linuxjournal.com/article/9400">Linux Journal</a> article covering <span class="em emphasis">eCryptfs</span>.
                </p>
              </li>
<li class="list itemizedlist">
                <p class="para">
                Also, for more <span class="app application">ecryptfs</span> options and details see the
                <a href="http://manpages.ubuntu.com/manpages/bionic/en/man7/ecryptfs.7.html" class="ulink" title="http://manpages.ubuntu.com/manpages/bionic/en/man7/ecryptfs.7.html">ecryptfs man page</a>.
                </p>
              </li>
</ul></div></div></div>
</div></div>
</div>
<div class="links nextlinks">
<a class="nextlinks-prev" href="certificates-and-security.html" title="Certificates">Previous</a><a class="nextlinks-next" href="monitoring.html" title="Monitoring">Next</a>
</div>
<div class="clear"></div>
</div>
<div id="pagebottom"></div>
</div></div>
</div>
<div id="footer"><p>The material in this document is available under a free license, see <a href="https://help.ubuntu.com/legal.html">Legal</a> for details.<br>
          For information on contributing see the <a href="https://wiki.ubuntu.com/DocumentationTeam">Ubuntu Documentation Team wiki page</a>.
          To report errors in this serverguide documentation, <a href="https://bugs.launchpad.net/serverguide">file a bug report</a>.</p></div>
</div>
</body>
</html>
